Fetchmail with SSL

From Antiflux Wiki

Revision as of 06:17, 13 September 2006 by Yohanan (Talk | contribs)
Jump to: navigation, search

My home machine runs Gentoo Linux. I pull all the e-mail from my various accounts---personal, school, etc.---to my home machine and read it from there. I use fetchmail to pull my e-mail, and I use mutt to read/send my e-mail.

This article does not attempt to go into the depths of using fetchmail. Rather, it describes a specific issue I had while pulling mail from antiflux. Specifically, I use fetchmail in conjunction with SSL and was running into error messages because the Antiflux root CA is not issued by a well-known authority. What I list below are the steps to setting up fetchmail using SSL to obtain e-mail from antiflux. This is a slightly more specific (to antiflux) description I originally posted in a Gentoo forum.

Preliminary Information

My home directory is /home/yohanan

Here are the original errors I was seeing whenever fetchmail:

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

Here is the pertinent information I (now) have in my .fetchmailrc file:

poll mail.antiflux.org with proto IMAP
        user 'yohanan' there with password 'PASSWORD' is 'yohanan' here ssl
sslcertck sslfingerprint 'E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7'
sslcertpath /home/yohanan/.certs fetchall


The Steps

Step 1: create a local repository for the certificates

$ mkdir /home/yohanan/.certs

Step 2: get the mail server certificate

$ openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts

Press Ctrl-D when you get the Ok line to terminate the session. Scroll up through the output generated and copy/paste the lines of output inclusive of the lines listed below.

-----BEGIN CERTIFICATE-----
...
<a whole lot of cryptic ascii here>
...
-----END CERTIFICATE-----

Save them in a file in /home/yohanan/.certs. The file must end in a pem extension. For example, you could name the file imap.antiflux.org.pem.

Step 3: get the root certificate

$ cd /home/yohanan/.certs
$ wget http://antiflux.org/ca/antiflux.org-root.crt
$ mv antiflux.org-root.crt antiflux.org-root.pem

Step 4: run c_rehash on the certificates directory

$ c_rehash /home/foobar/.certs

you should see results similar to the following:

Doing /home/yohanan/.certs
antiflux.org.pem => 6aaf9651.0
antiflux.org-root.pem => 3a918149.0

Step 5: recheck your work

Re-run the following command:

openssl s_client -CApath /home/foobar/.certs -connect pop.foobar.com:995 -showcerts

Scroll to the top of the output and look for a depth=1. This implies that the certificates are now in working order.

Personal tools